DoD  Business  Mission  Area  Service-Oriented  Architecture 
to  Support  Business  Transformation 


Dennis  E.  Wisnosky,  Dimitry  Feldshteyn,  Wil  Mancuso,  A1  (Edward)  Gough,  Eric  J.  Riutort,  and  Paul  Strassman 

Department  of  Defense 


The  Department  of  Defense  (DoD)  Business  Mission  Mrea  (BABA)  accounts  for  roughly  half  of  the  DoD 
Information  Technology  (IT)  budget.  Many  of  the  DoD ’s  business  systems  have  been  in  use  for  years  and  are  straining 
to  support  the  agility  of  business  operations  necessary  today.  Ms  well,  many  new  systems  are  being  developed  on  such  a 
scale  that  it  takes  nearly  a  decade  to  produce  the  first  results.  M  potential  answer  to  this  situation  is  delivering  business 
capabilities  through  a  service-oriented  architecture  (SOMf .  Much  of  the  private  sector  is  rapidly  moving  in  this  direc¬ 
tion.  The  question  is,  will  it  work  for  the  DoD?  This  article  is  about  the  results  ofi  market  research  conducted  by  the 
BAAM  Chief  Technical  Officer  (CTO)  and  Chief  Architect  (CM)  over  a  period  of  about  six  months  to  learn  about 
state-of-the-art  SOM  and  what  the  DoD  can  count  on  from  SOM  vendors  to  deliver  both  business  services  and  SOM 


infrastructure  in  the  near-  to  mid-i 

The  DoD  is  perhaps  the  largest  and 
most  complex  organization  in  the 
world,  employing  nearly  1.4  million  people 
and  holding  approximately  $1.4  trillion  in 
assets.  IT  spending  for  business  support 
activities  in  the  DoD  BMA — funds  to 
operate,  maintain,  and  modernize  business 
systems — comprise  $15.7  billion  of  annu¬ 
al  DoD  IT  spending,  roughly  equal  to  the 
rest  of  the  federal  government. 

While  the  DoD  has  long  been 
acknowledged  for  its  premier  warfighting 
capabilities,  fragmentation  of  financial 
and  business  management  practices  leaves 
the  DoD  vulnerable  to  waste,  fraud,  and 
abuse,  as  well  as  risk  of  failure  on 
attempts  to  build  larger,  more  complex 
systems.  To  support  the  DoD  mission 
and  the  changing  nature  of  the  threats  to 


which  the  federal  government  must 
respond,  the  DoD  BMA  is  engaged  in  a 
massive  business  transformation.  It  must 
modernize  and  become  agile  in  order  to 
support  21st  century  national  security 
requirements.  The  BMA  CTO  evaluated 
DoD  BMA  enterprise  processes  and  asso¬ 
ciated  systems — including  human  re¬ 
source  and  personnel  management,  sup¬ 
ply  chain,  and  logistics,  as  wed  as  financial 
and  accounting  management  functions — 
to  determine  the  best  strategy  for  achiev¬ 
ing  agility.  After  analysis  and  assessment 
of  BMA  objectives  and  study  of  the  over¬ 
all  direction  for  IT  within  the  DoD,  the 
strategy  selected  to  move  the  BMA  for¬ 
ward  is  the  adoption  of  an  SOA. 

The  U.S.  Government  Accountability 
Office  describes  an  SOA  as  an  ‘‘approach 


for  sharing  functions  and  applications 
across  an  organization  by  designing  them 
as  discrete,  reusable,  business-oriented  ser¬ 
vices”  [1].  Most  importantly,  an  SOA  is  a 
mechanism  by  which  business  capabilities 
can  be  aligned  with  the  technical  infra¬ 
structure  in  support  of  an  agile  business 
strategy.  The  DoD’s  SOA  vision  calls  for 
such  alignment  through  an  architecture  of 
discrete  components  called  services  deliver¬ 
ing  business  capabilities  deployed  in  a  sup¬ 
portive  infrastructure  designed  for  this  pur¬ 
pose.  The  Office  of  the  BMA  CTO  and 
CA  collaborated  with  the  chief  informa¬ 
tion  officers  (CIOs)  representing  the  mili¬ 
tary  services,  defense  agencies,  combatant 
commands,  mission  areas,  and  DoD 
Enterprise  Services  to  develop  an  SOA 
strategy,  including  a  supporting  environ- 


Figure  1 :  The  Business  Transformation  Infrastructure 
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ment  termed  the  Business  Operating 
Environment  (BOE).  The  BOE  leverages 
industry  best  practices  to  federate  techni¬ 
cal  architectures,  develop  capability 
requirements,  and  support  the  delivery  of 
portfolios  of  business  capabilities  based 
on  collections  of  atomic  and/or  compos¬ 
ite  service  orchestrations.  The  BOE  is 
defined  in  [2],  which  details  the  infrastruc¬ 
ture  component  of  the  BOE  and  the  busi¬ 
ness  transformation  infrastructure  (BTI), 
shown  in  Figure  1  (on  the  previous  page). 
Some  functions  of  the  BTI  will  be  met 
through  and  built  upon  the  DoD  Global 
Information  Grid  Enterprise  Services. 
The  technical  core  of  the  BTI,  designated 
the  Business  Transformation  Engine 
(BTE),  is  to  be  built  from  commercially 
available  products. 

To  assess  the  feasibility  of  this  strate¬ 
gy,  the  BMA  CTO  conducted  market 
research  into  maturity  and  readiness  to 
support  this  strategy  in  SOA  technologies 
from  more  than  30  organizations.  These 
had  survived  a  preliminary  screening  to 
ensure  that  they  were  realistic  and  rele¬ 
vant.  The  technical  research  included  all 
components  of  the  BTE,  and  was  con¬ 
ducted  in  accordance  with  departmental 
regulations  guiding  pre-acquisition  market 
research.  The  organizations  provided  live 
demonstrations  of  their  development, 
test,  operational,  and  production  environ¬ 
ments.  CIO  offices  from  each  military  ser¬ 
vice  and  many  defense  agencies  were 
invited  to  attend  and  participate  in  the 
presentations.  This  article  provides 
research  conclusions  across  the  BTE  com¬ 
ponents  (numbered  in  Figure  1),  as  well  as 
SOA  information  assurance  and  gover¬ 
nance. 

Industry  Readiness  to  Support 
Key  BTI  Capabilities 

The  research  approach  gathered  data  to 
correspond  to  key  technical  capabilities 
required  to  build  the  BTI  and  included  an 
assessment  of  the  industry’s  maturity  in 
providing  tools  to  support  these  technical 
capabilities.  The  research  did  not  consider 
SOA  technologies  not  relevant  to  the  BTI. 
In  this  section,  we  present  the  assessment. 

Interoperability  Controller 

The  interoperability  controller  component 
of  the  BTI  is  a  pattern  or  foundation 
architecture  for  brokering,  routing,  and 
processing  messages  and  service  invoca¬ 
tions  within  an  SOA.  It  consists  of  an 
extensible  set  of  integration  brokers  inter¬ 
connected  on  the  network  by  robust  mes¬ 
saging  middleware.  The  research  looked  at 
products  supporting  this  pattern,  examin¬ 


ing  them  for  a  number  of  characteristics, 
including  support  for  indirection  and 
interception,  loose  coupling,  scalability, 
and  robustness.  In  general,  the  products 
that  most  closely  support  this  pattern  are 
enterprise  service  bus  (ESB)  products,  as 
well  as  enterprise  application  integration 
and  message-oriented  middleware  through 
composition. 

The  market  research  shows  that  the 
state  of  industry  products  as  reasonably 
mature  and  can  support  the  implementa¬ 
tion  of  the  BMA  vision  for  the  BTFs 
interoperability  controller  component. 
The  message-oriented  middleware  and 
enterprise  application  integration  product 
vendors  have  been  working  in  this  direc¬ 
tion  through  many  generations  of  prod- 

*^The  challenge  ...  is  to 
build  a  standards-based 
SOA  that  leverages  the 
success  of  Web 
technologies  rather  than 
an  ESB-based  solution 
that  provides  some 
aspects  of  SOA  but 
could  lead  to 
over-dependence  on  a 
particular  vendor's 
technology/^ 

ucts.  The  ESB  vendors  have  built  on  this 
experience  to  provide  an  enterprise-wide 
solution,  though  often  with  proprietary 
features.  The  challenge  with  the  latter  is  to 
build  a  standards-based  SOA  that  lever¬ 
ages  the  success  of  Web  technologies 
rather  than  an  ESB-based  solution  that 
provides  some  aspects  of  SOA  but  could 
lead  to  over-dependence  on  a  particular 
vendor’s  technology. 

Mediation  -  Standard  and  High 
Volume 

While  increasingly  more  BMA  systems 
and  data  sources  will  communicate 
natively  in  terms  of  standard  message 
sets  and  vocabularies,  there  is  a  short¬ 
term  need  for  mediation  of  information 
exchanges,  translating,  and  transforming 
messages  between  information  providers 


and  consumers.  The  research  found  good 
support  of  this  pattern  in  both  the  stan¬ 
dard  and  high-volume  variations.  Many 
vendors,  (such  as  Fiorano,  BEA  Systems, 
IBM,  Iona,  Tibco,  and  webMethods)  are 
producing  capable  transformation 
engines,  especially  those  focused  on 
extensible  Markup  Language  (XML) 
messaging  and  the  use  of  Extensible 
Stylesheet  Language  Transformation 
engines.  For  high  volume,  Ab  Initio,  with 
its  advanced  parallel  processing  capabili¬ 
ties,  allows  for  the  development  of  high- 
performance,  straight-through  mediation 
services.  However,  the  vision  for  dynam¬ 
ic  generation  of  transformations  on  a 
semantic  mediation  basis  was  found  to 
still  be  a  future  capability.  The  semantic 
technology  needed  is  immature,  so 
semantic  tools  from  companies  like 
Revelytix  and  IBM  are  best  suited  for 
supporting  development  time  activities, 
with  semantics  being  early-bound  into 
runtime  environments. 

Service  Discovery  and  Metadata 
Registries 

The  BMA’s  approach  to  SOA  calls  for 
metadata  registries  and  repositories  sup¬ 
porting  the  discovery  of  services  and 
information  assets.  DoD  registries  are 
built  around  Organization  for  the 
Advancement  of  Structured  Information 
standards,  such  as  Universal  Description 
and  Discovery  Interface  (UDDI)  and  elec¬ 
tronic  business  XML  (ebXML)  Registry 
Information  Model  and  Registry  Services 
(including  a  UDDI  service  registry),  a 
Metadata  Registry  that  contains  the  DoD’s 
structural  and  semantic  metadata,  and  an 
enterprise  catalog  containing  DoD  specifi¬ 
cation  metadata  to  support  discovery  of 
information  assets.  Given  the  DoD’s  size 
and  the  likely  need  to  federate  registries, 
the  BMA  included  this  category  in  the 
market  research. 

Many  of  the  vendors  in  the  market 
research  provide  UDDI  service  registries, 
notably  Systinet,  now  a  part  of  HP.  Many 
vendors  include  UDDI  capability  (e.g., 
IBM,  BEA,  Software  AG),  with  a  number 
of  vendors  using  Systinet.  Many  vendors 
also  include  metadata  management  capa¬ 
bilities  and  repository  components  (e.g., 
Fiorano,  Lombardi),  while  others  such  as 
Revelytix  specialize  around  semantic 
metadata.  The  DoD’s  metadata  discovery 
specification  is  not  directly  supported  by 
vendors,  though  those  that  support  the 
ebXML  architecture  can  act  as  enterprise 
catalog  instances. 

Business  Activity  Monitoring 

Business  activity  monitoring  (BAM) 


26  CrossTalk  The  Journal  of  Defense  Software  Engineering 


October  2008 


DoD  Business  Mission  Area  Service-Oriented  Architecture  to  Support  Business  Transformation 


allows  management  of  an  SOA  in  busi¬ 
ness  terms.  Market  research  found  that 
BAM  is  still  in  early  development.  There 
are  many  vendors  providing  BAM  func¬ 
tionality  coming  from  diverse  industry 
segments.  Application  integration  and 
enterprise  software  vendors  (BEA, 
Fiorano,  IBM,  IONA  Technologies, 
Microsoft,  Oracle,  SAP,  TIB  CO,  web- 
Methods,  etc.)  are  extending  existing 
assets  and  acquiring  additional  capabili¬ 
ties  in  order  to  support  BAM.  Business 
intelligence  vendors  (Business  Objects, 
Cognos,  Software  AG,  etc.)  are  working 
to  adapt  technology  and  incorporate 
business  rules  engines  into  their  solu¬ 
tions  to  support  real-time  BAM  opera¬ 
tions.  There  is  also  a  set  of  pure-play 
BAM  providers  who  focus  on  complete 
BAM  solutions.  Overall,  the  research 
found  little  standardization  across  ven¬ 
dor  implementations,  making  true  inter¬ 
operability  difficult  to  achieve  on  an 
enterprise  level.  The  most  common  uses 
found  in  the  research  revolve  more 
around  project-based,  application-spe¬ 
cific  uses  rather  than  as  general  enter¬ 
prise  infrastructure. 

Enterprise  Services  Management 

Enterprise  services  management  (ESM) 
provides  for  managing  the  service  life 
cycle  and  is  the  foundation  for  SOA  run¬ 
time  governance.  Market  research  found 
a  limited  number  of  SOA  ESM  vendors. 
The  main  vendors  (e.g.,  IBM,  Hewlett- 
Packard)  possess  strong  portfolios  in 
traditional  network  management  and 
integrated  service  management  markets 
that  they  have  extended  to  ESM.  Most 
of  the  tools  researched  include  feature 
sets  spanning  the  range  from  low-level 
IT  service  management  to  the  higher- 
level  business  management  needs,  and 
the  differences  are  more  in  terms  of 
focus.  Often,  a  more  comprehensive 
solution  can  be  composed  by  combining 
products  (e.g.,  AmberPoint  and  HP 
OpenView  SOA  Manager). 

Business  Process  and  Workflow 
Automation  (Business  Process 
Modeling,  Execution,  and  Monitoring) 

The  BTI  must  provide  for  the  modeling 
and  execution  of  business  processes 
through  the  orchestration  of  services, 
and  the  monitoring  of  those  business 
processes.  While  the  research  found  that 
there  are  still  many  proprietary  modeling 
offerings,  there  is  considerable  conver¬ 
gence  around  Business  Process 
Modeling  Notation  (BPMN).  The 
research  also  found  strong  support 
across  vendors  for  the  Business  Process 


Execution  Language  standard,  though 
there  is  also  emerging  support  for  direct 
execution  of  BPMN  through  the  use  of 
the  XML  Process  Definition  Language, 
an  XML  serialization  of  BPMN.  Many 
vendors  also  provide  the  needed  moni¬ 
toring  of  those  processes  at  runtime, 
often  building  on  extensive  experience 
with  network  and  application  monitor¬ 
ing  capabilities.  Still  further  in  the  future 
are  tools  with  semantic  continuity  from 
modeling  to  execution  in  the  business 
process  arena;  however,  the  research  did 
find  that  what  already  exists  is  maturing 
rapidly,  and  can  provide  a  base  for 
implementing  the  BTI.  Perhaps  surpris¬ 
ingly,  not  a  single  vendor  included  the 
Unified  Modeling  Language  in  either  its 
list  of  product  offerings  relative  to  an 
SOA,  or  as  a  tool  that  it  uses  in  its  SOA 
engagements. 


.  the  DoD  is 
making  lA  services 
a  part  of  the 
Net-Centric  Core 
Enterprise  Services  so 
that  security  is 
ubiquitous,  well-tested, 
and  a  part  of 
the  infrastructure/^ 


Data  Virtualization  and  Data 
Services 

Among  virtualization  trends,  virtualizing 
data  sources  has  emerged  as  a  real-world 
capability,  and  is  a  key  component  of  the 
BMA  SOA  vision  in  which  a  virtual  data 
store  makes  information  from  many 
sources  available  in  real  time  without  a 
physical  store.  The  vendors  include 
Composite  Software,  Red  Hat  Meta¬ 
matrix,  IBM,  and  Streambase. 

The  BMA  research  found  that  over¬ 
all  data  virtualization  and  associated  data 
services  have  matured  to  the  point  that 
there  are  many  cases  where  they  can 
produce  high-performance  and  robust 
data  sources  and  services  to  be  used  in  a 
net-centric  environment,  significantly 
reducing  the  latency  in  data  availability 
to  business  analysts  and  decision  makers 
who  do  not  need  to  wait  for  the  period¬ 
ic  load  of  a  data  warehouse  or  data  mart. 


Information  Assurance  for 
SOA 

An  SOA  introduces  new  information 
assurance  (lA)  challenges.  The  interop¬ 
erability  and  extended,  net-centric  data 
sharing  capabilities  enabled  by  SOAs  are 
themselves  potential  points  of  vulnera¬ 
bility.  A  compromised  service  registry 
provides  an  attacker  with  a  detailed  map 
of  the  operations  and  capabilities  of  an 
organization.  Standards  and  standard 
protocols  narrow  the  range  of  network 
capabilities  that  an  attacker  must  sub¬ 
vert,  and  success  wins  wide  access. 
Deploying  an  SOA  in  a  responsible  fash¬ 
ion  must  consider  the  effects  of  infor¬ 
mation  warfare  in  addition  to  other  plan¬ 
ning.  Only  through  such  lA  diligence 
will  the  DoD  be  able  to  truly  realize  the 
savings  and  benefits  that  an  SOA 
promises  for  a  large,  geographically  dis¬ 
persed  organization  that  must  operate  in 
the  face  of  the  exigencies  of  war. 
Additionally,  SOAs  must  also  meet  old 
I A  challenges  including  reliability,  avail¬ 
ability,  and  non-repudiation.  An  SOA 
does  not  relieve  implementers  of  the 
responsibility  for  solid  engineering  in 
areas  of  platforms,  networking,  back¬ 
ups,  and  auditing.  Past  best  practices  and 
standards  must  be  brought  to  bear  on 
SOA  implementations  as  well  as  tradi¬ 
tional  ones. 

As  would  be  expected,  the  DoD  is 
making  lA  services  a  part  of  the  Net- 
Centric  Core  Enterprise  Services  so  that 
security  is  ubiquitous,  well-tested,  and  a 
part  of  the  infrastructure.  An  SOA  pro¬ 
vides  the  possibility  to  externalize  secu¬ 
rity  as  a  common,  cross-cutting  set  of 
capabilities,  themselves  presented  as  ser¬ 
vices.  In  this  way,  each  application  or 
program  does  not  have  to  master  the 
complex  technical  capabilities  required, 
but  can  declaratively  define  lA  require¬ 
ments  and  expect  them  to  be  honored 
and  enforced  by  the  infrastructure.  At 
the  same  time,  DoD-level  lA  policy  can 
be  enforced  on  SOA  operations,  includ¬ 
ing  authorization  control,  redaction,  and 
auditing.  An  SOA  must  also  work  with 
the  DoD’s  Public  Key  Infrastructure  to 
enable  secure  single  sign-on,  and  to 
ensure  preservation  of  appropriate  non¬ 
repudiation  characteristics  as  people  and 
systems  take  action  against  DoD  and 
BMA  data  assets. 

The  BTI  is  intended  to  embrace  and 
extend  the  DoD  SOA  and  lA  foundations. 
During  the  research,  the  BMA  team  stud¬ 
ied  vendor  capabilities  with  regard  to  lA 
and  security  in  a  number  of  areas.  In  par¬ 
ticular,  there  was  support  for  emerging 
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Web  Services  security  standards  and  the 
inclusion  of  lA  capabilities,  both  for 
enabling  lA  and  for  working  with  an 
enterprise’s  existing  lA  infrastructure. 

•  Support  for  Web  Services  lA 
Standards.  Vendor  support  for  the 
Web  Services  standards  stack  (WS-*) 
and  related  sets  of  XML  and  network 
lA  standards — such  as  the  WS- 
Security  Assertion  Markup  Language, 
and  the  extensible  Access  Control 
Markup  Language — is  maturing  rapid¬ 
ly  along  with  the  standards  them¬ 
selves.  These  standards  are  key  to 
moving  lA  into  the  infrastructure,  the 
SOA  foundation,  and  enabling  a 
declarative  I  A.  Most  of  the  deep 
stacks  of  SOA  capability,  such  as 
those  from  IBM,  BEA,  Oracle,  and 
Microsoft,  have  incorporated  these 
standards  throughout. 

•  Enabling  lA  Infrastructure  Capa¬ 
bilities.  Some  organizations  includ¬ 
ed  in  the  research  (such  as 
AmberPoint)  focus  explicitly  on  pro¬ 
viding  SOA  security  capabilities.  The 
market  research  found  that  there  is  a 
trend  to  make  lA  an  integral  part  of 
SOA  through  provisioning,  gover¬ 
nance,  and  key  infrastructure,  such  as 
with  the  BTTs  interoperability  con¬ 
troller.  This  holds  out  the  promise 
that  as  an  SOA  is  implemented  in  the 
BMA,  it  will  not  prove  to  be  the  soft 
and  chewy  inside  of  a  hard  and  crunchy 
perimeter  defense. 

•  Integration  With  Existing  lA 
Infrastructure.  DoD  lA  must  be  a 
consideration  from  the  beginning  of 
the  life  cycle.  An  SOA  must  be  able 
to  work  and  interoperate  with  lA 
standards,  practices,  and  approaches 
developed  during  the  DoD  and  U.S. 
intelligence  community’s  long  experi¬ 
ence  in  producing  networked  IT  sys¬ 
tems  to  provide  defense  in  depth. 
The  market  research  found  that  there 
is  a  convergence  in  this  arena,  with 
the  DoD  looking  to  adopt  industry 
and  commercial  best  practices  in  lA 
for  its  solutions,  and  SOA  vendors 
(included  in  the  research)  willing  to 
meet  and  accommodate  the  stringent 
I A  requirements  of  the  DoD. 

Governance 

Governance — the  means  to  assure  that 
laws,  regulations,  and  policies  are  met  in 
IT  operations  and  investments — is  of 
key  importance  for  the  move  to  an  SOA. 
An  SOA  introduces  new  challenges  for 
IT  and  business  governance  due  to  solu¬ 
tions  composed  from  numerous  distrib¬ 
uted  services  in  an  environment  of  het¬ 


erogeneous  ownership  and  control,  and 
by  enabling  widespread  sharing  of  infor¬ 
mation  and  capabilities.  The  BMA  strat¬ 
egy  for  SOA  governance  addresses  both 
buildtime  and  runtime  needs. 

BuHdtime  (Investment)  Governance 

The  research  assessed  buildtime  gover¬ 
nance  in  the  following  areas: 

•  Enterprise  Architecture  Satisfac¬ 
tion.  The  research  found  that  enter¬ 
prise  architecture  tools  are  moving  to 
explicitly  model  services,  such  as 
those  from  Mega  Software  or  IBM 
(Telelogic).  However,  these  tools 
have  (at  most)  limited  interoperabili¬ 
ty  with  tools  used  to  design  and 
develop  services.  These  tools  also 

*^While  serious  caution 
remains  in  the  areas  of 
lA  and  security ...  the 
need  for  significant 
cultural  change  for 
successful  SOA 
implementation  cannot 
be  overemphasized  ..d* 

provide  little  in  the  way  of  automat¬ 
ed  compliance  checking  or  manage¬ 
ment  of  the  transition  between 
enterprise  architecture  models  and 
service  designs  and  implementations. 

•  Duplication  Avoidance.  The  re¬ 
search  found  that  this  aspect  of  gover¬ 
nance  is  provided  largely  by  the  ability 
of  SOA  development  tools  and  envi¬ 
ronments  to  access  service  registries 
and  repositories.  This  allows  develop¬ 
ers  to  determine  whether  an  imple¬ 
mentation  for  their  service  already 
exists.  Additional  metadata  repository 
capabilities  (providing  further  infor¬ 
mation)  support  this  process. 

•  Service  Usage.  The  market  research 
found  that  the  main  mechanisms  for 
assuring  that  existing  services  are 
used  as  appropriate  are  through 
development  tools  that  integrate 
with  an  enterprise’s  service  registries 
and  repositories.  These  tools  provide 
developers  with  service  descriptions 
and  specifications  at  design  and  build 
time.  Many  tool  vendors,  such  as 
Lombardi  and  IBM,  provide  this 
capability. 


•  Service  Verification.  The  market 
research  found  that  there  is  good 
support  for  test  and  verify  SOA  ser¬ 
vices — against  functional  require¬ 
ments  and  service  level  agreements 
(SLAs) — ^when  combined  with  more 
traditional  automated  testing  tools. 

•  SLA  Development.  The  market 
research  found  support  for  capturing 
SLAs,  but  support  for  the  actual  ini¬ 
tial  development  of  the  SLAs  is 
more  limited.  System  architects  and 
designers  need  to  pay  close  attention 
to  how  they  develop  SLAs  and  trans¬ 
late  them  into  digital  form  for  use  by 
automated  SLA  management  capa¬ 
bilities. 

Runtime  (Operations)  Governance 

Runtime  governance  should  provide  vis¬ 
ibility  into  service  operation  allowing 
management  of  services,  the  ability  to 
take  corrective  action  (as  needed)  to 
ensure  effectively  uninterrupted  business 
operations,  and  the  capture  of  operation 
audit  information.  Provisioning,  deploy¬ 
ing  new  services,  and  taking  old  services 
out  of  operation  without  significant 
impact  on  business  activities  or  overall 
operations,  are  key  parts  of  overall  run¬ 
time  governance.  Characteristics  looked 
for  in  runtime  governance  include  the 
following: 

•  Operational  Visibility.  Make  the 
runtime  state  visible  in  both  techni¬ 
cal  (network  and  machine  usage)  and 
business  terms. 

•  Service  Management.  Monitor 
and  manage  the  execution  and  oper¬ 
ation  of  services  in  an  SOA. 

•  Policy  Enforcement.  Enforce  secu¬ 
rity  and  other  policy-based  con¬ 
straints  in  a  declarative  fashion, 
external  to  SOA  services,  allowing 
systems  to  adapt  quickly  to  changing 
policy  circumstances  without  coding. 

•  Auditing.  Track  and  record  key 
events  and  actions  within  the  SOA 
environment  for  later  analysis. 

•  Provisioning  and  Configuration 
Management.  Provision  services 
for  deployment  in  the  SOA  and  track 
its  configuration  across  changes  as 
they  occur. 

Governance  Conclusions 

The  market  research  found  no  complete 
solution  available  as  a  single  package, 
but  there  is  considerable  governance 
capability  available  in  the  marketplace. 
For  example,  in  the  area  of  provisioning 
and  configuration  management,  the 
research  found  that  SOA  management 
tools  provide  some  of  this  capability. 
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but  may  need  to  be  joined  with  more  tra¬ 
ditional  configuration  management  and 
deployment  tools  for  reasonable  capabil¬ 
ity  Governance  capability  (as  required 
by  the  BMA  strategy  for  SOA)  can  be 
provided  through  commercial  tools,  but 
designers  must  carefully  assess  and 
acquire  the  components  from  various 
vendors  in  accordance  with  a  strong 
design  and  plan  that  they  must  create  for 
themselves. 

Conclusion 

The  DoD  BMA  has  embarked  on  an  SOA 
strategy.  The  ‘'BMA  Architecture  Feder¬ 
ation  Strategy  and  Roadmap”  provides 
guidance  for  the  DoD  BMA  to  quickly 
gain  business  value  by  delivering  capabili¬ 
ty  to  support  the  warfighter  through  an 
SOA,  while  using  a  phased  approach  for 
transforming  legacy  systems.  The  mar¬ 
ket  research  performed  by  the  BMA 
Office  of  the  CTO  and  CA  has  found 
that  industry  capabilities  to  implement 
or  enable  the  components  defined  in  the 
BMA  Service-Oriented  Infrastructure 
have  matured  in  the  marketplace.  While 
serious  caution  remains  in  the  areas  of 
lA  and  security,  and  the  need  for  signif¬ 
icant  cultural  change  for  successful  SOA 
implementation  cannot  be  overempha¬ 
sized,  it  is  clear  that  it  is  feasible  for  an 
enterprise  the  size  of  the  DoD  to  move 
forward  on  implementing  an  SOA  and 
to  realize  the  business  benefits  of  agility, 
interoperability,  and  net-centric  data 
sharing  that  an  SOA  provides. 

The  opinions  expressed  in  this  article 
are  those  of  the  authors  only  and  in  no 
way  constitutes  the  policy  or  express 
direction  of  the  DoD.  For  additional 
information  about  the  vendors,  see  the 
online  version  of  this  article. ♦ 

Note 

1.  According  to  the  U.S.  Government 
Accountability  Office,  ‘A  service- 
oriented  architecture  is  an  approach 
for  sharing  functions  and  applica¬ 
tions  across  an  organization  by 
designing  them  as  discrete,  reusable, 
business-oriented  services.  These 
services  need  to  be,  among  other 
things,  (1)  self-contained  ...;  (2)  pub¬ 
lished  and  exposed  as  self-describing 
...;  and  (3)  subscribed  to  via  well- 
defined  and  standardized  interfaces.” 
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